Authorities in Belgium are expected to say in a draft ruling that the Interactive Advertising Bureau Europe's "transparency and consent" framework violates the General Data Protection Regulation, the online ad industry organization said Friday.
“The draft ruling will apparently identify infringements of the GDPR by IAB Europe, but it will also find that those infringements should be capable of being remedied within six months following the issuing of the final ruling,” the organization stated.
The draft ruling stems from an investigation into the IAB Europe's three-year-old transparency and consent framework -- which aims to serve as a standardized technology for notifying consumers about data collection, obtaining their consent, and informing online ad companies about consumers' decisions.
Privacy advocates, including the Irish Council for Civil Liberties have brought numerous complaints over the framework.
The draft decision itself wasn't available Friday. But the Irish Council for Civil Liberties suggested that the Belgian authorities plan to say that IAB Europe's interface for obtaining consent -- which the privacy group calls the “'consent' pop-up system” -- violates Europe's broad privacy rules.
The privacy group also says the draft decision will find that the “identification code” about web users -- based on apps used, sites visited and how they respond to the consent pop-ups -- is itself “personal data” under European law.
“IAB Europe created a fake consent system that spammed everyone, every day, and served no purpose other than to give a thin legal cover to the massive data breach in at the heart of online advertising,” Johnny Ryan, senior fellow at the Irish Council for Civil Liberties, stated Friday. “We hope the decision of the Belgian Data Protection Authority will finally force the online advertising industry to reform.”
The draft ruling is coming around one year after regulators with the Belgian Data Protection Authority said in preliminary findings that IAB Europe's transparency and consent mechanism allows companies to disclose sensitive data about consumers without their permission.
That preliminary finding was nonbinding, IAB Europe said at the time.